topic Hi Neno,Thanks for the reply. in Network Access Control

Port security and 802.1x (ISE)

jc.saavedra — Mon, 11 Mar 2019 04:59:01 GMT

Hi everyone,

I'm implemmenting ISE in a network with Port Security enabled.

According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.

I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.

Someone?

Thanks!

There a lot of different

nspasov — Sat, 30 Aug 2014 05:15:47 GMT

There a lot of different commands, features and scenarios. Can you help us answer your question by telling us what exactly you are trying to accomplish?

Hi Neno, The scenario is: on

jc.saavedra — Mon, 01 Sep 2014 14:51:47 GMT

Hi Neno,

The scenario is: on the same SW port I have configured:

interface GigabitEthernet1/0/25
description PC Jeremias Castro
switchport access vlan 2008
switchport mode access
switchport voice vlan 2108
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 30
authentication event fail action next-method
authentication event server dead action authorize vlan 2008
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
macro description Phone-Host
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast

The port is configured to work with 802.1x and Port-security.

The question is, what is the problem if I have this config.

Thank you.

Using 802.1X with Port

Moin Ilyas — Tue, 02 Sep 2014 18:05:31 GMT

Using 802.1X with Port Security

You can enable an 802.1X port for port security by using the dot1x multiple-hosts interface configuration command. You must also configure port security on the port by using the switchport port-security interface configuration command. With the multiple-hosts mode enabled, 802.1X authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an 802.1X multiple-host port.

These are some examples of the interaction between 802.1X and port security on the switch:

•When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but port security table is full. This can happen if the maximum number of secure hosts have been statically configured, or if the client ages out of the secure host table. If the client's address is aged out, its place in the secure host table can be taken by another host. In this case, you should enable periodic reauthentication with a shorter time period than the port security aging time.

If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table.

For more details please refer: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_13_ea1/configuration/guide/3550scg/Sw8021x.html#wp1049580

Hope that helps.

Thanks Moin, We have to

jc.saavedra — Thu, 04 Sep 2014 12:56:42 GMT

Thanks Moin,

We have to configure the port with authentication host-mode multi-domain and remove the por-security.

Thank you.

Hi Neno,I am also having some

Pranav Gade — Tue, 30 Sep 2014 08:57:55 GMT

Hi Neno,

I am also having some what similar kind off issue .

I am implementing 802.1x with port security for end user access machine with Anyconnect and ISE . Wherein some dell Laptop with docket having issue.

Issue - If dell laptop user connect there machine with docket then port goes in error disable (laptop having connection from IP Phone) then phone also gets disable.This only happens when then first time connect their laptop on docket

ISE Configuration - We have configured machine + user authentication with dotx method

Switch Configuration -

interface GigabitEthernetX/X
switchport access vlan X
switchport mode access
switchport voice vlan X
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky XX.XX.XX
switchport port-security mac-address sticky XX.XX.XX vlan voice authentication event server dead action authorize vlan XX
authentication event server alive action reinitialize
authentication port-control auto
authentication open auto qos voip cisco-phone
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end

Laptop model issue - Dell latitude e4310 and e6510

Can anybody help me on this

Thanks

In general I stay away from

nspasov — Tue, 30 Sep 2014 17:19:26 GMT

In general I stay away from port-security if 802.1x is enabled. I personally don't see the benefit and IMO it only adds additional administrative overhead. In your scenario I believe the port becomes error disabled because you are exceeding the maximum allowed mac addresses, which in your configuration is 2. The reason you are exceeding this with the dock is because 99% of the time the dock also has its own mac address. So you in your scenario you end up with 3 total mac addresses on the port: One for the phone, one for the pc and one from the docking station.

Thank you for rating helpful posts!

Sorry, somehow I missed your

nspasov — Tue, 30 Sep 2014 17:20:28 GMT

Sorry, somehow I missed your reply and never replied back to you. Yes, in general I try to stay away from using dot1x and port-security in the same configuration.

Glad your issue was resolved!

Hi Neno,Thanks for the reply.

Pranav Gade — Thu, 02 Oct 2014 08:06:36 GMT

Hi Neno,

Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.

Please find below logs from switch -

Oct 1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC

Oct 1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC

Oct 1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct 1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct 1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B

Oct 1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY

Oct 1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT

Oct 1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID Unassigned

Oct 1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state

Oct 1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3

Oct 1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE

Oct 1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state

Can you guide us how to fix this one

Regards

Pranav

Add the following command to

nspasov — Thu, 02 Oct 2014 15:42:59 GMT

Add the following command to your switchport and test again:

authentication host-mode multi-auth

Thank you for rating helpful posts!

Re: Hi Neno,I am also having some

suporteredes — Tue, 13 Mar 2018 12:08:21 GMT

Dude, you have port-security limiting this port for 1 mac-address, but you have IP Phone, than laptop with Docket, with 2 or maybe 3 mac-addresses in total on that port. Maybe that's the problem. What does the show log shows you?

You could raise the mac-address limitation from 1 to 3 and remove the static mappings...